How to Setup OpenVPN Server on Linux CentOS 7

Understanding CentOS

Each variety of Linux packages different software together and is built upon some variation of the Linux kernel. Furthermore, each flavor is conditionally suited for different types of environments. CentOS seeks to position itself as an enterprise-class operating system, opposed to other operating systems that are more appropriate for personal home use.

Also, you should know that CentOS has roots in RHEL (Red Hat Enterprise Linux). Though it is much younger than its predecessor, CentOS is a great operating system that has developed into an extremely popular, stable, and secure platform with tons of quality software. In fact, in 2010, approximately 30 percent of all web servers using Linux software were running CentOS. It was even more popular than Debian, which is a much older operating system from another branch of Linux.

Fortunately, even if you know little about CentOS, it’s not too difficult to setup your very own OpenVPN server for free. After you have downloaded and installed CentOS, simply use the following steps to setup your server. In this example, I used the latest version of CentOS (version 7).

Installing the OpenVPN Software on CentOS

The first thing you will want to do before installing and configuring OpenVPN on CentOS is to download and install the Extra Packages for Enterprise Linux (EPEL). The OpenVPN software isn’t included by default on CentOS, so we need to download this package to access it.

yum install epel-release

Without a detailed knowledge of all the different packages, you are better off entering a ‘y’ for all of the installation options. If you know what you are doing, you can get away without installing packages that you deem unnecessary. Now, simply install the package.

yum install openvpn easy-rsa -y

Note the space after the ‘rsa’ text. Copy the server.conf file to be used as a template for our installation.

Open the following file with the vi text editor and change the Diffie-Hellman (DH) parameter to 2048:

vi /etc/openvpn/server.conf

dh dh2048.pem

Configuring DNS Servers

Now, use the following 3 commands to redirect DNS requests through the tunnel and set the DNS servers to Google DNS:

push “redirect-gateway def1 bypass-dhcp”

push “dhcp-option DNS 8.8.8.8”

push “dhcp-option DNS 8.8.4.4”

Setting Default Parameters

Next, use the following two commands to start the client without privileges by default.

user nobody

group nobody

Now you will want to create a directory (folder) to copy the keys and certificates to:

mkdir -p /etc/openvpn/easy-rsa/keys

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

To make things less challenging, we will want to set default values in the following file. Edit the default information as pertains to your personal use or for your organization. Update the fields enclosed in quotations as you see fit:

vi /etc/openvpn/easy-rsa/vars

export KEY_COUNTRY=”____”

export KEY_PROVINCE=”____”

export KEY_CITY=”____”

export KEY_ORG=”____”

export KEY_EMAIL=”PeterGibbons@example.com”

export KEY_OU=”Community”

# X509 Subject Field

export KEY_NAME=”server”

Next, we are going to remove the version number from a configuration file to prevent our configuration from not loading due to an undetectable version number. We will simply copy the file with a new name. Use the following commands:

Generating Keys

Now change your current working directory as follows to begin generating the keys.

cd /etc/openvpn/easy-rsa

source ./vars

Now we need to clean out any existing keys and build new ones with the following commands. Notice that you are given another opportunity to change any information that you had set as the default earlier. However, you will want to manually edit the defaults in a text editor to save time if you are building multiple keys.

./clean-all

./build-ca

It is now time to build the server’s key and certificate that will be used to encrypt/decrypt traffic and establish trust.

./build-key-server server

./build-dh

Be prepared to wait. As the shell suggests, this is going to take a (relatively) long time. After that has been completed, copy the keys and certificates to the OpenVPN directory:

cd /etc/openvpn/easy-rsa/keys

cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

If you want, you can generate separate keys and certificates for each client that connects to the VPN server. For this example, though, we will only create them for a user named ‘client.’

cd /etc/openvpn/easy-rsa

./build-key client

Configuring IP Forwarding

Now we need to setup forwarding rules. Start by ensuring that IPTables is installed and enabled:

yum install iptables-services -y

systemctl mask firewalld

systemctl enable iptables

systemctl stop firewalld

systemctl start iptables

iptables –flush

Be sure to add the following configuration to ensure that our traffic is forwarded. Remember to substitute whichever subnet you have chosen for your VPN.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables-save > /etc/sysconfig/iptables

Open the following file in a text editor and add the code as shown below. This will enable IP forwarding.

vi /etc/sysctl.conf

ipv4.ip_forward = 1

Now restart the service to update our changes.

systemctl restart network.service

Running the Server Software

Finally, we are ready to run our software. Add the VPN service to systemctl and start the service.

systemctl -f enable openvpn@server.service

systemctl start openvpn@server.service

The server is now configured and running. All that’s left to do is to install the client on the device you want to connect to the VPN server. Also, understand that your client machines will need a copy of the following three files in order to establish a VPN tunnel:

/etc/openvpn/easy-rsa/keys/ca.crt

/etc/openvpn/easy-rsa/keys/client.crt

/etc/openvpn/easy-rsa/keys/client.key

Additionally, you will want to configure the following file to setup parameters for client connections:

openvpn –config ~/path/to/client.ovpn

You can create this file with your favorite text editor. Be sure to add the following text. In particular, you will want to edit the name of your keys and certificates (in this example, they are named client), update the IP address of your server, as well as update the file paths to your keys and certificates. If you created additional keys, simply substitute the characters in bold with the path and name of your keys.

client

dev tun

proto udp

remote your_server_ip 1194

resolv-retry infinite

nobind

persist-key

persist-tun

comp-lzo

verb 3

ca /path/to/ca.crt

cert /path/to/client.crt

key /path/to/client.key

Lastly, you will want to configure your clients with the client software. The process for that largely depends on your operating system, but by now the server is ready to accept client connections. I hope this guide has facilitated your task of setting up OpenVPN on CentOS 7, but if you have any questions, please comment below and I will do my best to answer them.

(Visited 2,198 times, 1 visits today)

Related Posts

3 Comments

mildlyinfuriatedgraphicsdesignerNovember 28, 2016

I don’t want to be nag about a little detail but the CentOS logo you used in your article is wrong the blue part in the upper right should be violet. I know it’s not important in this article but your image shows up pretty high in the google results for centos logo and thus could be easily spread with the error